Embodiments protect against security vulnerabilities arising from 3rd party JavaScript code. A browser receives from a server, a document including a first JavaScript. The browser in turn references a list stored in a database to recognize the first JavaScript as originating from other than the server. This recognition process may involve obtaining a stacktrace. The browser then references a second JavaScript in order to instrument a document object model (DOM) feature (e.g., global API, DOM element-attached API, DOM node property) to sanitize the first JavaScript. For instrumenting a global API, this may comprise overwriting a global reference in the first JavaScript with a replacement reference to a sanitization function. For instrumenting the DOM element-attached API or the DOM node property, the instrumenting may comprise altering a prototype of the DOM node element. The browser causes the DOM feature to sanitize the first JavaScript, and passes a sanitized JavaScript for execution.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method comprising: a browser receiving from a server, a document including a first JavaScript; the browser referencing a list stored in a database to recognize the first JavaScript as originating from other than the server; the browser referencing a second JavaScript for instrumenting a document object model (DOM) feature to sanitize the first JavaScript, said instrumenting comprises altering a prototype of the DOM node element; the browser causing the DOM feature to sanitize the first JavaScript; the browser temporarily restoring the prototype to its original state; the browser assigning an original functionality to the DOM element node; the browser reinstrumenting the DOM feature to sanitize the first JavaScript; and the browser passing a sanitized JavaScript to the document for execution.
2. A method as in claim 1 wherein the DOM feature comprises an application program interface (API).
3. A method as in claim 2 wherein the API comprises a global API, and the instrumenting comprises: before calling an original functionality of the first JavaScript, overwriting a global reference in the first JavaScript with a replacement reference to a sanitization function.
4. A method as in claim 3 further comprising the browser adding another reference to the global API.
5. A method as in claim 2 wherein the API comprises a local API attached to a DOM node element.
6. A method as in claim 1 wherein the DOM feature comprises a property of a DOM node element.
7. A method as in claim 6 further comprising the browser adding properties to the prototype.
8. A method as in claim 1 further comprising the browser obtaining a stacktrace to recognize the first JavaScript as originating from other than the server.
9. A method as in claim 1 wherein the list comprises a whitelist.
10. A non-transitory computer readable storage medium embodying a computer program for performing a method, said method comprising: a browser receiving from a server, a document including a first JavaScript; the browser referencing a list stored in a database to recognize the first JavaScript as originating from other than the server by obtaining a stacktrace; the browser referencing a second JavaScript for instrumenting a document object model (DOM) feature to sanitize the first JavaScript, said instrumenting comprises altering a prototype of the DOM node element; the browser causing the DOM feature to sanitize the first JavaScript; the browser temporarily restoring the prototype to its original state; the browser assigning an original functionality to the DOM element node; the browser reinstrumenting the DOM feature to sanitize the first JavaScript; and the browser passing a sanitized JavaScript to the document for execution.
11. A non-transitory computer readable storage medium as in claim 10 wherein the DOM feature comprises an application program interface (API).
12. A non-transitory computer readable storage medium as in claim 11 wherein the API comprises a global API, and the instrumenting comprises: before calling an original functionality of the first JavaScript, overwriting a global reference in the first JavaScript with a replacement reference to a sanitization function.
13. A non-transitory computer readable storage medium as in claim 11 wherein the API comprises a local API attached to a DOM node element.
14. A non-transitory computer readable storage medium as in claim 11 wherein the DOM feature comprises a property of a DOM node element.
15. A computer system comprising: one or more processors; a software program, executable on said computer system, the software program configured to cause an in-memory database engine to cause: a browser to receive from a server, a document including a first JavaScript; the browser to reference a list stored in an in-memory database to recognize the first JavaScript as originating from other than the server; the browser to reference a second JavaScript for instrumenting a document object model (DOM) feature to sanitize the first JavaScript, said instrumenting comprises altering a prototype of the DOM node element; the browser to cause the DOM feature to sanitize the first JavaScript; the browser temporarily restoring the prototype to its original state; the browser assigning an original functionality to the DOM element node; the browser reinstrumenting the DOM feature to sanitize the first JavaScript; and the browser to pass a sanitized JavaScript to the document for execution.
16. A computer system as in claim 15 wherein in response to the browser receiving the second JavaScript, the software program is further configured to cause the in-memory database engine to store the second JavaScript in the in-memory database.
17. A computer system as in claim 15 wherein the DOM feature comprises a global API, and the instrumenting comprises: before calling an original functionality of the first JavaScript, overwriting a global reference in the first JavaScript with a replacement reference to a sanitization function.
18. A computer system as in claim 15 wherein the DOM feature comprises a local API attached to a DOM node element.
19. A computer system as in claim 15 wherein the DOM feature comprises a property of a DOM node element.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 25, 2018
September 29, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.